CSL Technical Report SRI-CSL-06-01 • May 23, 2006

Integrating Simplex with DPLL(T )

Bruno Dutertre and Leonardo de Moura

This report is based upon work supported by the Defense Advanced Research ProjectsAgency (DARPA) under Contract No. NBCHD030010. Any opinions, findings, and con-clusions or recommendations expressed in this material are those of the authors and donot necessarily reflect the views of DARPA or the Department of Interior National BusinessCenter (DOI-NBC).

Computer Science Laboratory • 333 Ravenswood Ave. • Menlo Park, CA 94025 • (650) 326-6200 • Facsimile: (650) 859-2844

Abstract

We present a new Simplex-based linear arithmetic solver that can be integrated efficiently in theDPLL(T ) framework. The new solver improves over existing approaches by enabling fast back-tracking, supporting a priori simplification to reduce the problem size, and providing an efficientform of theory propagation. We also present a new and simple approach for solving strict inequal-ities. Experimental results show substantial performance improvements over existing tools that useother Simplex-based solvers in DPLL(T ) decision procedures. The new solver is even competitivewith state-of-the-art tools specialized for the difference logic fragment.

Contents

1 Introduction 4

2 Background 62.1 Solvers for DPPL(T ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.2 Existing Simplex Solvers for DPLL(T ) . . . . . . . . . . . . . . . . . . . . . . . . 72.3 Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

3 A Linear-Arithmetic Solver for DPLL( T ) 113.1 Preprocessing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113.2 Basic Solver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

3.2.1 Main Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133.2.2 Generating Explanations . . . . . . . . . . . . . . . . . . . . . . . . . . .153.2.3 Assertion Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163.2.4 Backtracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163.2.5 Theory Propagation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173.2.6 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

3.3 Strict Inequalities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18

4 Integer and Mixed Integer Problems 204.1 Branch and Bound . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .204.2 Gomory Cuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

4.2.1 Derivation of a Gomory Cut . . . . . . . . . . . . . . . . . . . . . . . . .224.2.2 A Stronger Gomory Cut . . . . . . . . . . . . . . . . . . . . . . . . . . .24

5 Experiments 26

6 Conclusion 31

1

List of Figures

2.1 Impact of Theory Propagation in Simplics . . . . . . . . . . . . . . . . . . . . . .10

3.1 Auxiliary procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123.2 Check procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133.3 Assertion procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163.4 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

5.1 Ario 1.1 vs. New Solver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .275.2 BarcelogicTools vs. New Solver . . . . . . . . . . . . . . . . . . . . . . . . . . .285.3 CVC Lite 2.0 vs. New Solver . . . . . . . . . . . . . . . . . . . . . . . . . . . . .285.4 MathSAT 3.3.1 vs. New Solver . . . . . . . . . . . . . . . . . . . . . . . . . . . .295.5 Simplics vs. New Solver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295.6 Yices vs. New Solver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30

2

List of Tables

5.1 Experimental results: Summary . . . . . . . . . . . . . . . . . . . . . . . . . . .27

3

Chapter 1

Introduction

Decision procedures for quantifier-free linear arithmetic determine whether a boolean combinationof linear equalities, inequalities, and disequalities is satisfiable. Several tools for solving this prob-lem rely on the DPLL(T ) approach [11]: they combine boolean satisfiability solvers based on theDavis-Putnam-Logemann-Loveland (DPLL) procedure, and arithmetic solvers capable of decidingthe satisfiability of conjunctions of linear constraints. Results of a first satisfiability modulo the-ories (SMT) competition, comparing several of these tools, are presented in [3]. In thedifferencelogic fragment of linear arithmetic, that is, if all the constraints are of the formxi − xj ≤ b,specialized solvers such as Barcelogic [14] or Slice [19] use graph algorithms such as the Bellman-Ford algorithm. For general linear arithmetic, existing tools rely either on Fourier-Motzkin elimina-tion [8] (used by CVClite [2], CVC [18], SVC [4]) or on Simplex methods [7] (used by MathSat [6],ICS [10], Simplics, Yices, ARIO [17]). In practice, Fourier-Motzkin elimination explodes on manyproblems and Simplex is generally superior. The worst-case complexity of Simplex is exponentialbut this worst case is rarely encountered in practice. On the other hand, Fourier-Motzkin eliminationtends to generate a very large number of intermediate inequalities which causes it to often fail byrunning out of memory.

The common methods for integrating a Simplex solver with DPLL rely on incremental versionsof Simplex such as described in [15, 9, 12, 1]. A tableau is constructed and updated incrementally:rows are added as DPLL proceeds and are later removed when DPLL bactracks. These frequentaddition and removal of rows and the related bookkeeping have a significant cost. For example,backtracking may require pivoting operations. This report presents a simpler and more efficientSimplex-based solver that considerably reduces this overhead. The approach relies on transformingthe original formulaΦ into an equisatisfiableΦ′ such that the satisfiability ofΦ′ is decided by solvinga series of problems of the form

find x ∈ Rn such thatAx = 0 andli ≤ xi ≤ ui for i = 1, . . . , n,

where the matrixA is fixed andli andui are bounds onxi that may vary with each problem. Variantsof Simplex can efficiently solve problems in this form. This report describes such a variant designedto be efficient in the DPLL(T ) context: it has low backtracking overhead and enables a simple butuseful form of theory propagation. Furthermore, the new approach makes it possible to simplifythe problem a priori by eliminating irrelevant variables. This pre-simplification leads to substantialperformance improvements on many examples from the SMT-LIB benchmarks.

4

We first give an overview of the DPLL(T ) approach and discuss some lessons learned fromour tools Yices and Simplics. Our new solver relies on a simplex-based procedure for real lineararithmetic described in details in Chapter 3. Extension to integer and mixed-integer problems isdiscussed in Chapter 4, and experimental results are presented in Chapter 5.

5

Chapter 2

Background

Given a quantifier-free theoryT , a T -solver is a procedure for deciding whether a finite sets ofatoms ofT is satisfiable. IfΦ is a formula built by boolean combination of atoms ofT , then thesatisfiability ofΦ can be decided by combining a boolean satisfiability solver and aT -solver. Thiscan be summarized as follows:

• FirstΦ is transformed into a propositional formulaΦ0 by replacing its atomsφ1, . . . , φt withfresh propositionsp1, . . . , pt.

• A boolean valuation forΦ0 is a mappingb from Φ0’s propositions to{0, 1}. Any suchbdefines a set of atomsΓb = {γ1, . . . , γt}whereγi is φi if b(pi) = 1 andγi is¬φi if b(pi) = 0.ThenΦ is satisfiable if there is ab that satisfiesΦ0 (in propositional logic) and for whichΓbis consistent (in theoryT ).

The DPLL(T ) approach is an efficient method for such integrations that relies on the DPLL proce-dure.

The efficiency of this approach depends to a large extent on the features of modern DPLL-basedSAT solver, such as, fast unit propagation, good heuristics for selecting decision variables, clauselearning, and non-chronological backtracking. However, a fast SAT solver is not sufficient, severalproperties of theT -solver are also important.

2.1 Solvers for DPPL(T )

In the DPLL(T ) framework, aT -solver maintains a state that is an internal representation of theatoms asserted so far. This solver must provide operations for updating the state by asserting newatoms, checking whether the state is consistent, and for backtracking. Optionally, the solver mayalso implementtheory propagation, that is, identify atoms that are implied by the current state. Tointeract with the DPLL search, the solver must produceexplanationsfor conflicts and propagatedatoms. In an inconsistent stateS, an explanation is any inconsistent subset of the atoms assertedin S. Similarly, an explanation for an implied atomγ is a subsetΓ of the asserted atoms such thatΓ |= γ. In both cases, the explanation isminimal if no proper subset ofΓ is itself an explanation.

The solver is assumed initialized for a fixed formulaΦ and we denote byA the set of atoms thatoccur inΦ. The set of atoms asserted so far is denoted byα. The solver also maintains a stack of

6

checkpointsthat mark consistent states to which the solver can backtrack. We assume that aT -solverimplements the following API.1

• Assert(γ) asserts atomγ in the current state. It returns eitherok or unsat〈Γ〉 whereΓ is asubset ofα. In the first case,γ is inserted intoα. In the latter case,α ∪ {γ} is inconsistentandΓ is the explanation.

• Check() checks whetherα is consistent. If so, it returnsok, otherwise it returnsunsat〈Γ〉. AspreviouslyΓ ⊆ α is an explanation for the inconsistency. A new checkpoint is created whenok is returned.

• Backtrack() backtracks to the consistent state represented by the checkpoint on the top of thestack.

• Propagate() performs theory propagation. It returns a set{〈Γ1, γ1〉, . . . , 〈Γt, γt〉}whereΓi ⊆α andγi ∈ A \ α. Everyγi is implied byΓi.

Assertmust be sound but is not required to be complete:Assert(γ) may returnok even ifα∪{γ}is inconsistent. Similarly,Propagatemust be sound but does not have to be exhaustive. For exam-ple, a solver without theory propagation can returnPropagate() = ∅ for anyS. On the other hand,function Checkis required to be sound and complete: ifCheck() = ok thenα must be consis-tent. This model enables several atoms to be asserted in a single “batch”, using several calls toAssertfollowed by a single call toCheck. Assertcan then implement only inexpensive (and possi-bly incomplete) consistency checks whileCheckimplements a complete (and possibly expensive)consistency-checking procedure. The stateS′ after executingBacktrackmust be logically equivalentto the stateS when the checkpoint was created, butS′ may be different fromS.

2.2 Existing Simplex Solvers for DPLL(T )

A quantifier-free linear arithmetic formula is a first-order formula whose atoms are either proposi-tional variables or equalities, disequalities, or inequalities of the form

a1x1 + . . . + anxn ./ b,

wherea1, . . . , an andb are rational numbers,x1, . . . , xn are real (or integer) variables, and./ isone of the operators=,≤, ,≥, or 6=. In the DPLL(T ) framework, deciding the satisfiability ofsuch formulas requires a linear-arithmetic solver. A common approach is to use incremental formsof Simplex similar to the algorithms described in [15,9,12,1]. Tools based on this approach includeour own tools, Yices and Simplics, and others such as MathSat [6].

In these algorithms, a solver state includes a Simplex tableau that is derived from all equalitiesand inequalities asserted so far. A tableau can be written as a set of equalities of the form

xi = bi +∑

xj∈Naijxj , xi ∈ B (2.1)

whereB andN are disjoint sets of variables. Elements ofB andN are calledbasicandnon-basicvariables, respectively. Additional constraints are imposed on some variables ofB ∪ N . So-called

1This is similar to the API proposed in [11].

7

slack variablesare required to be non-negative, and the tableau may also containzero variables,which are all implicitly equal to0. Zero-variables are used to generate explanations (cf. [15]).

A pivoting operationpivot(xr, xs) swaps a basic variablexr and a non-basic variablexs suchthatars 6= 0. After pivoting,xs becomes basic andxr becomes non-basic. The tableau is updatedby replacing equationxr = br +

∑xj∈N arjxj with

xs = −brars

+xrars

−∑

xj∈N \{xs}

arjxjars

(2.2)

then equation (2.2) is used to eliminatexs from the rest of the tableau by substitution.Assertion of equalities or inequalities adds new equations to the tableau. For example, letγ

be an atom of the formt ≥ 0 wheret is an arithmetic term. The operationAssert(γ) involvesthree steps. First,γ is normalized by substituting any basic variablexi occurring int with the termbi +

∑xj∈N aijxj . The solver checks then whether the resulting inequalityt

′ ≥ 0 is satisfiable.This step uses the Simplex algorithm to maximizet′ subject to the tableau constraints. Ift′ hasa maximumM andM is negative, thent′ ≥ 0 is not satisfiable and an explanation is generated.Otherwise, a fresh slack variablesk is created and a row of the formsk = t′′ is added to thetableau. Some bookkeeping is required to record thatsk is nonnegative and is associated with atomγ. Processing of equalities and strict inequalities follows the same general principles. Backtrackingremoves rows from the tableau. For example, to retractγ, the solver retrieves the slack variableskassociated withγ. If sk is a basic variable in the current state then the corresponding equation isremoved from the tableau. Otherwise, a pivoting operation is applied first to makesk basic.

Disequalities are treated separately since they cannot be incorporated into the tableau. When adisequalityt 6= 0 is asserted, it is first normalized as before, then the solver must check whether thecurrent tableau impliest = 0. This can be implemented via thezero-detection proceduredescribedin [15] for example.

2.3 Performance

Assertions and backtracking have a significant cost in solvers based on incremental Simplex algo-rithms. Part of this cost (e.g., the pivoting involved inAssertoperations) cannot be avoided, but thereis also significant overhead in the frequent additions and removals of rows, creations and deletionsof slack variables, and the associated bookkeeping. The remainder of the paper describes a differenttype of solver, still based on the Simplex method, which significantly reduces this overhead. Thenew approach is simpler and more uniform than incremental Simplex. It is also more economical asirrelevant variables can be eliminated a priori and fewer slack variables are necessary.

Some of the simplifications are based on lessons we learned from experiments with our previoustools Simplics and Yices:2

• Minimal explanations are critical. Dramatic improvements were observed when comparingSimplics and Yices, which generate minimal explanations, and their predecessor ICS, whichdoes not.

2Both use incremental Simplex and zero detection.

8

• Theory propagation is useful if it can be done cheaply. Figure 2.1 compares the results ofSimplics on the real-arithmetic subset of the SMT-LIB benchmarks3 using different levels oftheory propagation. By default, Simplics uses a heuristic form of propagation that’s relativelyinexpensive but incomplete (no pivoting is used). This is compared in Figure 2.1(a) withSimplics running with no propagation at all, and in Figure 2.1(b) with Simplics running withcomplete propagation (where pivoting is used). On these benchmarks, full propagation isjust too expensive, but no propagation is also a poor choice. Heuristic propagation is clearlysuperior.

• Zero detection is expensive and can be avoided. On a few examples in the SMT-LIB bench-marks, Simplics spends as much as 30% of its time in the zero-detection procedure. A sim-pler alternative is to rewrite a disequalityt 6= 0 as the disjunction of two strict inequalities(t < 0) ∨ (t > 0). This transformation may seem wasteful since it may entail additional casesplits, but it works well in practice. After this transformation, Simplics can solve six problemsof the SMT-LIB benchmarks that it cannot solve otherwise.

3These benchmarks are available athttp://combination.cs.uiowa.edu/smtlib/ . The real-arithmetic sub-set includes two categories of benchmarks known as QFRDL and QFLRA.

9

http://combination.cs.uiowa.edu/smtlib/

0.01

0.1

1

10

100

1000

0.01 0.1 1 10 100 1000

no p

ropa

gatio

n

heuristic propagation

(a) Heuristic vs. No Propagation

0.01

0.1

1

10

100

1000

0.01 0.1 1 10 100 1000

full

prop

agat

ion

heuristic propagation

(b) Heuristic vs. Full Propagation

Figure 2.1: Impact of Theory Propagation in Simplics

10

Chapter 3

A Linear-Arithmetic Solver forDPLL( T )

3.1 Preprocessing

Incremental Simplex algorithms can be avoided by rewriting a linear arithmetic formulaΦ into anequisatisfiable formula of the formΦA ∧ Φ′, whereΦA is a conjunction of linear equalities, and allthe atoms occurring inΦ′ areelementary atomsof the formy ./ b, wherey is a variable andb is arational constant. The transformation is straightforward. For example, letΦ be the formula

x ≥ 0 ∧ (x + y ≤ 2 ∨ x + 2y − z ≥ 6) ∧ (x + y = 2 ∨ x + 2y − z > 4).

We introduce two variabless1 ands2 and rewriteΦ to ΦA ∧ Φ′ as follows.

(s1 = x + y ∧ s2 = x + 2y − z) ∧(x ≥ 0 ∧ (s1 ≤ 2 ∨ s2 ≥ 6) ∧ (s1 = 2 ∨ s2 > 4))

Clearly, this new formula andΦ are equisatisfiable. In general, starting from a formulaΦ, thetransformation introduces a new variablesi for every linear termti that is not already a variable andoccurs as left-hand side of an atomti ./ b of Φ. ThenΦA is the conjunction of all the equalitiessi = ti andΦ′ is obtained by replacing every termti by the correspondingsi in Φ.

Let x1, . . . , xn be the arithmetic variables ofΦA ∧ Φ′, that is, all the variables originally inΦandm-additional variabless1, . . . , sm introduced by the previous transformation (m ≤ n). ThenformulaΦA can be written in matrix form asAx = 0, whereA is a fixedm× n rational matrix andx is a vector inRn. The rows ofA are linearly independent soA has rankm. Checking whetherΦis satisfiable amounts to finding anx such thatAx = 0 andx satisfiesΦ′. In other words, checkingthe satisfiability ofΦ in linear arithmetic is equivalent to checking the satisfiability ofΦ′ in lineararithmetic moduloAx = 0. Since all atoms ofΦ′ are elementary, this requires a solver for decidingthe consistency of a set of elementary atomsΓ modulo the constraintsAx = 0. If Γ contains onlyequalities and (non-strict) inequalities, this reduces to searching forx ∈ Rn such that

Ax = 0 and lj ≤ xj ≤ uj for j = 1, . . . , n (3.1)

11

procedureupdate(xi, v)for eachxj ∈ B, β(xj) := β(xj) + aji(v − β(xi))β(xi) := v

procedurepivotAndUpdate(xi, xj , v)θ := v−β(xi)aijβ(xi) := vβ(xj) := β(xj) + θfor eachxk ∈ B \ {xi}, β(xk) := β(xk) + akjθpivot(xi, xj)

Figure 3.1: Auxiliary procedures

wherelj is either−∞ or a rational number, anduj is either+∞ or a rational number. Iflj = ujthenxj is called afixed variable. If lj = −∞ anduj = +∞ thenxj is afree variable.

Since the elementary atoms ofΦ′ are known in advance, we can immediately simplify the con-straintsAx = 0 by removing any variablexi that does not occur in any elementary atom ofΦ′.This is done by Gaussian elimination. In practice, this presimplification can reduce the matrix sizesignificantly.

The variablessi introduced during the transformation play the same role as the slack variablesof standard Simplex. However, the presence of both lower and upper bounds is beneficial. Forexample, incremental Simplex algorithms need two slack variables to represent a constraint such as1 ≤ x+3y ≤ 4, whereas a singlesk is sufficient if the general form (3.1) is used. Overall, rewritingΦ into ΦA ∧ Φ′ and relying on the general form leads to problems with fewer variables than thealgorithms discussed previously.

3.2 Basic Solver

We first describe a basic solver that handles equalities and non-strict inequalities with real variables.Extensions to strict inequalities and integer variables are presented in the next sections. The basicsolver decides the satisfiabilities of problems in form (3.1) and implements the API of Section 2.1for integration with a DPLL-based SAT solver.

The solver state includes a tableau derived from the constraint matrixA. We will write such atableau in the form:

xi =∑

xj∈Naijxj xi ∈ B,

whereB andN denote the set of basic and non-basic variables, respectively.1 Since all rows of thistableau are linear combinations of rows of the original matrixA, the equalityxi =

∑xj∈N aijxj is

satisfied by anyx such thatAx = 0.

1This is the same as (2.1) withbi = 0 for all xi ∈ B.

12

1. procedureCheck()2. loop3. select the smallest basic variablexi such thatβ(xi) < li or β(xi) > ui4. if there is no suchxi then return satisfiable5. if β(xi) < li then6. select the smallest non-basic variablexj such that7. (aij > 0 andβ(xj) < uj) or (aij < 0 andβ(xj) > lj)8. if there is no suchxj then return unsatisfiable9. pivotAndUpdate(xi, xj , li)10. if β(xi) > ui then11. select the smallest non-basic variablexj such that12. (aij < 0 andβ(xj) < uj) or (aij > 0 andβ(xj) > lj)13. if there is no suchxj then return unsatisfiable14. pivotAndUpdate(xi, xj , ui)15. end loop

Figure 3.2: Check procedure

In addition to this tableau, the solver state stores upper and lower boundsli andui for everyvariablexi and a mappingβ that assigns a rational valueβ(xi) to every variablexi. The bounds onnon-basic variables are always satisfied byβ, that is, the following invariant is maintained

∀xj ∈ N , lj ≤ β(xj) ≤ uj . (3.2)

Furthermore,β satisfies the constraintAx = 0. In the initial state,lj = −∞, uj = +∞, andβ(xj) = 0 for all j.

Figure 3.1 describes two auxiliary procedures that modifyβ. Procedureupdate(xi, v) sets thevalue of a non-basic variablexi to v and adjusts the value of all basic variables so that all equationsremain satisfied. ProcedurepivotAndUpdate(xi, xj , v) applies pivoting to the basic variablexi andthe non-basic variablexj ; it also sets the value ofxi to v and adjusts value of all basic variables tokeep all equations satisfied.

3.2.1 Main Algorithm

The main procedure of our algorithm is based on the dual Simplex algorithm and relies on Bland’spivot-selection rule to ensure termination. It relies on a total order on the variables. Assuming anassignmentβ that satisfies the previous invariants, but whereli ≤ β(xi) ≤ ui may not hold forsome basic variablesxi, procedureChecksearches for a newβ that satisfies all constraints. Theprocedure is shown in Figure 3.2.

It either terminates with a new assignment and basis that satisfy all lower and upper bounds (line4), or finds the constraints to be unsatisfiable (lines 8 and 13). The body of the main loop selects abasic variablexi that does not satisfy its bounds (line 3). Ifxi is belowli, then it looks for a variablexj in the rowxi =

∑xj∈N aijxj that can compensate the gap inxi (lines 6-7). If no suchxj exists

the problem is unsatisfiable (line 8) because the value ofxi is maximal and is below the lower boundli. Otherwise, the procedure pivotsxi andxj , andxi is set toli (line 9). The case wherexi is aboveits upper bound (lines 10-14) is symmetrical.

13

The correctness ofCheckis a consequene of the following property.

Theorem 1 Procedure Check always terminates.

Proof: Every iteration ofCheckmodifies the assignmentβ, the sets of basic and non-basic variables,and the current tableau. However, there is a unique tableau for any set of basic variablesB. We canthen represent the state of the procedure before thet-th iteration as a pairSt = 〈βt, Bt〉, whereβt is the assignment andBt is the set of basic variables at that point.S0 denotes then the initialstate on entry to the procedure. We also denote byNt the set of non-basic variables inSt, that is,Nt = {x1, . . . , xn} \Bt.

For a non-basic variablexj ∈ Nt, and anyt we have eitherβt(xj) = β0(xj), or βt(xj) = lj orβ(xj) = uj . For any basic variablexi ∈ Bt, we have

βt(xi) =∑

xj∈Nt

aijβt(xj)

where the constantsaij are the tableau coefficients inSt. Hence,βt(xi) is uniquely determined byBt and the valuesβ(xj) for xj ∈ Nt. There are then finitely many possible assignmentsβt for agivenBt. Since the number of variables if finite, there are finitely many possible setsBt. Therefore,the set of states reachable fromS0 is finite. If Checkdoes not terminate, the sequence of statesS0, S1, S2, . . . must contain a cycle, that is, a subsequenceSk, . . . , St, St+1 with St+1 = Sk.

Let xr be the largest variable such thatxr becomes non-basic in one of the statesSk, . . . , St. Wethen havexr ∈ Bl andxr ∈ Nl+1 for an indexl ∈ {k, . . . , t}. Sincexr becomes non-basic in stateSl, we must have eitherβl(xr) < lr or βl(xr) > ur. Also, for any variablexj that is smaller thanxr in the variable ordering we havelj ≤ βl(xj) ≤ uj . This holds ifxj ∈ Bl since otherwisexjwould be selected to become non-basic rather thanxr (Fig. 3.2, line 3). This also holds ifxj ∈ Nlby invariant (3.2).

Since the sequence of state is cyclic,xr must eventually re-enter the basis. LetSp be the firststate afterSl+1 wherexr becomes basic again:xr ∈ Np andxr ∈ Bp+1. Sincexr stays non-basicin all statesSl+1, . . . , Sp its value does not change, so we haveβp(xr) = βl+1(xr). Let xs be thebasic variable that is pivoted withxr in Sp and let

xs =∑

xj∈Np

asjxj (3.3)

be the corresponding row inSp’s tableau. Sincexs leaves the basis in stateSp, we have eitherβp(xs) < ls or βp(xs) > us.

We can now decompose the proof into the following four cases.

1. βl(xr) < lr andβp(xs) < ls.

2. βl(xr) < lr andβp(xs) > us.

3. βl(xr) > ur andβp(xs) < ls.

4. βl(xr) > ur andβp(xs) > us.

Let us consider the first case. Sinceβl(xr) < lr we haveβp(xr) = βl+1(xr) = lr. Sincexr ischosen to enter the basis inSp andβp(xs) < ls, we must haveasr > 0 (Fig. 3.2, line 7).

14

Equation (3.3) is satisfied by anyx such thatAx = 0. It is then satified by bothβl andβp; sowe get

βl(xs)− βp(xs) =∑

xj∈Np

asj(βl(xj)− βp(xj)) (3.4)

By definition ofxr, we know thatxs is smaller thanxr in the variable ordering, so we havels ≤βl(xs) ≤ us. Since we have assumedβp(xs) < ls, the left-hand side of equation (3.4) is positive.Now, let us consider the termsasj(βl(xj) − βp(xj)) that occur in the right-hand side. In all theseterms,xj is a non-basic variable (i.e.,xj ∈ Np). There are three cases:

• xj is smaller thanxr in the variable order. As noted previously, this implieslj ≤ βl(xj) ≤ uj .Sincexj was not selected to become basic in stateSp, we must have eitherasj > 0 andβp(xj) ≥ uj or asj < 0 andβp(xj) ≤ lj or asj = 0 (line 7). In all these cases we get

asj(βl(xj)− βp(xj)) ≤ 0.

• xj = xr. We haveasr > 0, βl(xr) < lr, andβp(xr) = lr, so we obtain

asr(βl(xr)− βp(xr)) < 0.

• xj is larger thanxr in the variable order. In this case,xj remains non-basic in all the states ofthe cycle so its value never changes. It follows thatβl(xj) = βp(xj) and then

asj(βl(xj)− βp(xj)) = 0.

Thus, for allxj ∈ Np the termasj(βl(xj) − βp(xj)) is negative or zero. This contradicts the factthat the left-hand side of equation (3.4) is positive.

A similar contradiction is obtained in the other three cases. We can then conclude that a cyclicsequence of states cannot occur and then thatCheckterminates. ut

3.2.2 Generating Explanations

An inconsistency may be detected byCheckat line 8 or 13. Let us assume a conflict is detected atline 8. There is then a basic variablexi such thatβ(xi) < li and for all non-basic variablexj wehaveaij > 0 ⇒ β(xj) ≥ uj andaij < 0 ⇒ β(xj) ≤ lj . LetN+ = {xj ∈ N | aij > 0} andN− = {xj ∈ N | aij < 0}. Sinceβ satisfies all bounds on non-basic variables, we haveβ(xj) = ljfor everyxj ∈ N− andβ(xj) = uj for everyxj ∈ N+. It follows that

β(xi) =∑

xj∈Naijβ(xj) =

∑xj∈N+

aijuj +∑

xj∈N−aij lj .

The equationxi =∑

xj∈N aijxj holds for anyx such thatAx = 0. Therefore, for any suchx, wehave

β(xi)− xi =∑

xj∈N+aij(uj − xj) +

∑xj∈N−

aij(lj − xj),

15

1. procedureAssertUpper(xi ≤ ci)2. if ci ≥ ui then return satisfiable3. if ci < li then return unsatisfiable4. ui := ci5. if xi is a non-basic variable andβ(xi) > ci then update(xi, ci)6. return ok

1. procedureAssertLower(xi ≥ ci)2. if ci ≤ li then return satisfiable3. if ci > ui then return unsatisfiable4. li := ci5. if xi is a non-basic variable andβ(xi) < ci then update(xi, ci)6. return ok

Figure 3.3: Assertion procedures

from which one can derive the following implication:∧xj∈N+

xj ≤ uj ∧∧

xj∈N−lj ≤ xj ⇒ xi ≤ β(xi).

Sinceβ(xi) < li, this is inconsistent withli ≤ xi. The explanation for the conflict is then thefollowing set of elementary atoms:

Γ = {xj ≤ uj | j ∈ N+} ∪ {xj ≥ lj | j ∈ N−} ∪ {xi ≥ li}.

It is easy to see thatΓ is minimal. Explanations for conflicts at line 13 are generated in the sameway.

3.2.3 Assertion Procedures

The Assertfunction relies on two procedures shown in Figure 3.3 for updating the boundsli andui. ProcedureAssertUpper(xi ≤ ci) has no effect ifui ≤ ci and returns unsatisfiable ifci < li,otherwise the current upper bound onxi is set toci. If variablexi is non-basic, thenβ is updatedto maintain invariant (3.2). If an immediate conflict is detected at line 3 then generating a minimalexplanation is straightforward.

ProcedureAssertLower(xi ≥ ci) does the same thing for the lower bound. An equalityxi = ciis asserted by calling bothAssertUpperandAssertLower.

3.2.4 Backtracking

Efficient backtracking is important since the number of backtracks is often very large. In our ap-proach, backtracking can be efficiently implemented. We just need to save the value ofui (li) on astack before it is updated by the procedureAssertUpper(AssertLower). This information is used torestore the old bounds when backtracking is performed. Backtracking does not require to save the

16

A0 ={

s1 = −x + ys2 = x + y

β0 = (x 7→ 0, y 7→ 0, s1 7→ 0, s2 7→ 0)

A1 = A0 x ≤ −4 β1 = (x 7→ −4, y 7→ 0, s1 7→ 4, s2 7→ −4)A2 = A1 −8 ≤ x ≤ −4 β2 = β1A3 =

{y = x + s1s2 = 2x + s1

−8 ≤ x ≤ −4s1 ≤ 1

β3 = (x 7→ −4, y 7→ −3, s1 7→ 1, s2 7→ −7)

Figure 3.4: Example

successiveβs on a stack. Only one assignmentβ needs to be stored, namely the one correspondingto the last successfulCheck. After a successfulCheck, the assignmentβ is a model for the currentset of constraints and for the set of constraints asserted at any previous checkpoint. Since no pivotingor other expensive operation is used, backtracking is very cheap.

3.2.5 Theory Propagation

Given a set of elementary atomsA from the formulaΦ′, thenunate propagationis very cheap toimplement. For example, if boundxi ≥ ci has been asserted then any unassigned atom ofA of theform xi ≥ c′ with c′ < ci is immediately implied. Similarly, the negation of any atomxi ≤ u withu < ci is implied. This type of propagation is useful in practice. It occurs frequently in severalSMT-LIB benchmarks.

Another method is based onbound refinement. Given a row of a tableau, such as,xi =∑xj∈N aijxj , one can derive a lower or upper bound onxi from the lower or upper bounds on

the non-basic variablesxj . These computed bounds may imply unassigned elementary atoms withvariablexi. This is a heuristic technique as the computed bounds may be weaker than the currentbounds asserted onxi (for example, the computed bounds may be−∞ or +∞). However, boundrefinement is quite general. It is applicable with any equalitya1x1 + . . . + anxn = 0 derived bylinear combination of rows ofA, not just with rows of a tableau.

3.2.6 Example

Figure 3.4 illustrates the algorithm on a small example. Each row represents a state. The columnscontain the tableaux, bounds, and assignments. The first row contains the initial state. Supposex ≤ −4 is asserted. Then the value ofx must be adjusted, sinceβ0(x) > −4. Sinces1 ands2depend onx, their values are also modified. No pivoting is required since the basic variables do nothave bounds, soA1 = A0. Next, x ≥ −8 is asserted. Sinceβ1(x) satisfies this bound, nothingchanges:A2 = A1 andβ2 = β1. Next,s1 ≤ 1 is asserted. The current value ofs1 does not satisfythis bound, soCheckmust be invoked.Checkpivotss1 andy to decreases1. The resulting stateS3is shown in the last row; all constraints are satisfied.

If s2 ≥ −3 is asserted inS3 andCheckis called then an inconsistency is detected: TableauA2does not allows2 to increase since bothx ands1 are at their upper bound. Therefore,s2 ≥ −3 isinconsistent with stateS3.

17

3.3 Strict Inequalities

The previous method generalizes to strict inequalities using a simple observation.

Lemma 2 A set of linear arithmetic literalsΓ containing strict inequalitiesS = {p1 > 0, . . . , pn >0} is satisfiable iff there exists a rational numberδ > 0 such that for allδ′ such that0 < δ′ ≤ δ,Γδ = (Γ ∪ Sδ) \ S is satisfiable, whereSδ = {p1 ≥ δ, . . . , pn ≥ δ}.

This lemma says that we can replace all strict inequalities by non-strict ones if a small enoughδis known. Rather than computing an explicit value forδ, we treat it symbolically, as aninfinitesimalparameter. Bounds and variable assignments now range over the setQδ of pairs of rationals. A pair(c, k) of Qδ is denoted byc + kδ and the following operations and comparison are defined inQδ:

(c1, k1) + (c1, k2) ≡ (c1 + c2, k1 + k2)a× (c, k) ≡ (a× c, a× k)

(c1, k1) ≤ (c2, k2) ≡ (c1 < c2) ∨ (c1 = c2 ∧ k1 ≤ k2),

wherea is a rational number.By the previous definition, if the inequality(c1, k1) ≤ (c2, k2) holds inQδ then there is a rational

numberδ0 > 0 such that the inequality

c1 + k1� ≤ c2 + k2�

is satisfied by positive real� less thanδ0. For example, we can defineδ0 as follows:

δ0 =c2 − c1k1 − k2

if c1 < c2 andk1 > k2

δ0 = 1 otherwise

More generally, consider2m elements ofQδ, namelyvi = (ci, ki) andwi = (di, hi) for i =1, . . . ,m. If the m inequalitiesvi ≤ wi hold in Qδ then there is a positive rational numberδ0 suchthat the inequalities

c1 + k1� ≤ d1 + h1�...

cm + km� ≤ dm + hm�

are satisfied for any� such that0 < � ≤ δ0. One can take

δ0 = min{

di − ciki − hi

| ci < di andki > hi}

if the set on the right-hand side is nonempty or setδ0 to an arbitrary positive rational otherwise.Now, a linear problemS with strict inequalities in the rationals can be converted into a problem

S′ in the general form (3.1) but where the bounds and the variablesxi are elements ofQδ. Strictbounds inQ are converted to non-strict bounds inQδ. A strict inequalityxi > li is converted to

18

xi ≥ li + δ = l′i, andxi < ui is converted toxi ≤ ui − δ = u′i. The matrixA does not change; allits coefficients are rational numbers. The new problemS′ can be written

Ax = 0l′j ≤ xj ≤ u′j for j = 1, . . . , n

and the basic algorithm can be used to determine whetherS′ is feasible inQδ. This is straighforward;all updates toβ used in the previous algorithm can be performed inQδ.

If S′ is satisfiable, the algorithm produces a satisfying assignmentβ′ that maps variables toelements ofQδ. Thenβ′ can be converted into a satisfying rational assignmentβ for S. First, the2n inequalities

l′j ≤ β′(xj) ≤ u′j for j = 1, . . . , n,

are satisfied inQδ. Let us setl′j = (cj , kj), u′j = (dj , hj), andβ′(xj) = (pj , qj). As discussedpreviously, there is a positive rational numberδ0 such that

cj + kj� ≤ pj + qj� ≤ dj + hj� for j = 1, . . . , n (3.5)

holds in the reals whenever0 < � ≤ δ0. In particular, these inequalities hold when� = δ0. We canthen defineβ by settingβ(xj) = pj + qjδ0 for all xj andβ satisfies all the inequalities (3.5). Byconstruction ofS′ this implies thatβ satisfies all the strict and non-strict inequalities in the originalproblemS. Sinceβ′ satisfies the constraintsAx = 0 in Qδ, it is clear thatβ satisfies the sameconstraintsAx = 0 in the reals soβ is a satisfying assignment forS.

Conversely, ifS is satisfiable in the rationals, then any satisfying assignmentβ for S can betransformed in a straightforward way into a satisfying assignmentβ′ for S′. So if S′ is unsatisfiablein Qδ, S is not satisfiable either in the rationals.

19

Chapter 4

Integer and Mixed Integer Problems

The previous solver is sound and complete for the reals. If some or all of the variablesxi are requiredto be integer, the algorithm is not complete. Nothing ensures that the assignmentβ constructed byCheckgives an integer value to integer variables. To be complete in the integer or mixed integercase, we employ abranch and cutstrategy, that is, the combination of branch-and-bound with acutting plane generation algorithm [16,13]. The branch-and-bound algorithm works when problemsare solved inQδ rather thanQ. In other words, it can be used when strict inequalities are present.The cutting-plane method we use is based on mixed integer Gomory cuts. Such a cutting-planealgorithm is critical as it dramatically accelerate the convergence of branch-and-cut in several cases.

4.1 Branch and Bound

As previously, we consider the constraints

Ax = 0lj ≤ xj ≤ uj for j = 1, . . . , n,

but in addition, some variables are required to be integer valued. The problem is then to find avariable assignmentβ that satisfies the linear equalities and bound constraints, and such thatβ(xj) ∈Z for all j in a fixed setI ⊆ {1, . . . , n}. We denote this problem byS. We can assume without lossof generality that the boundslj anduj are integer (or infinity) for anyj in I.

The branch-and-bound method starts by solving thelinear programming relaxation(LP relax-ation) ofS, that is, it searches for a solutionβ in the reals. In our case, this is done using algorithmCheckof Section 3.2. If the LP relaxation is infeasible, thenS is also infeasible. Otherwise, letβbe the solution found byCheck. If β happens to satisfy all the integer constraints thenS is feasible.Otherwise, there isi ∈ I such thatβ(xi) is not an integer. There is then a constantc ∈ Z such thatc < β(xi) < c + 1, that is,c = bβ(xi)c. Givenc, the original problemS is split into the followingtwo subproblems:

S0 :Ax = 0

lj ≤ xj ≤ uj for j = 1, . . . , n andj 6= ili ≤ xi ≤ c

20

S1 :Ax = 0

lj ≤ xj ≤ uj for j = 1, . . . , n andj 6= ic + 1 ≤ xi ≤ ui.

ThenS0 or S1 (or both) are solved recursively using the same procedure. IfS0 or S1 is satisfiablethenS is also satisfiable. If neither is satisfiable thenS is also infeasible.

Thus, the branch-and-bound method recursively dividesS into a set of smaller subproblemsobtained by modifying lower or upper bounds of the integer variables. This recursive division canbe efficiently implemented via a depth-first search. Unlike traditional branch-and-bound methods,the algorithm does not attempt to minimize or maximize a linear function but stops when the firstinteger-feasible solution is found. If a subproblemS′ encountered during the search is infeasible,thenCheckproduces an explanation, in the form of a minimal set of inconsistent bound constraints.This explanation is exploited to prune the search via non-chronological backtracking.

The branch-and-bound approach works when strict inequalities are present. In such a case theLP-relaxation is solved inQδ rather thanQ. As in the real case, we definebβ(xi)c as the largestinteger less thanβ(xi). Assumingβ(xi) = s + kδ, we then get

bβ(xi)c =

bsc if s 6∈ Zs if s ∈ Z andk ≥ 0s− 1 if s ∈ Z andk < 0

This is the only adjustment required for solving interger or mixed integer problems with strict in-equalities.

4.2 Gomory Cuts

Branch-and-bound terminates if all the integer variables have a lower and an upper bound, that is,if −∞ < lj anduj < ∞ for all j in I. Without such bounds, the algorithm may fail to terminate,even on trivial problems. For example, the constraint

1 ≤ 3x− 3y ≤ 2

is not satisfiable ifx andy are integers, but has unbounded real solutions. On this example, a naı̈vebranch-and-bound implementation loops. Fortunately, we can assume without loss of generality thatlower and upper bounds are given for all variables. IfS is feasible then it has a solution that is anextreme point of its convex hull, and an explicit bound on the magnitude of such extreme points canbe derived from the coefficients of the matrixA (cf. [16, 13]). However, this bound is typically toolarge to ensure quick termination in practice.

To accelerate convergence, modern integer-programming methods combine branch-and-boundwith cutting-plane algorithms. Assumeβ is a solution to the LP-relaxationP of S but not a solutionto S. A cut is a linear inequality

a1x1 + . . . + anxn ≤ b,

that is not satisfied byβ but is satisfied by any element in the convex hull ofS. If one or moresuch cuts can be found, then they can be added as new constraints to the original problemS. Thisgives a new problemS′ that has the same solutions asS but whose LP-relaxationP ′ is strictly moreconstrained thanP . In particular,β is a solution toP but it is not a solution toP ′. Therefore, rather

21

than splittingS into subproblems as previously, one can attempt to find a solutionβ′ to P ′ anditerate the process. Combining cutting-plane and branch-and-bound methods has led to dramaticimprovements in the size of mixed-integer programming problems that can be efficiently solved inpractice [5].

4.2.1 Derivation of a Gomory Cut

Many cut-generation algorithms have been proposed (see [13]). A general method due to Gomory issimple to implement, widely applicable, and known to be quite effective in practice. In our context,let β be the solution returned byCheckto the LP-relaxationP of a problemS. Thus,β is obtainedfrom a tableau of the form

xi =∑

xj∈Naijxj , xi ∈ B.

A mixed integer Gomory cutcan be constructed fromβ and the tableau if the following conditionsare satisfied:

• There is a basic variablexi ∈ B such thati ∈ I andβ(xi) 6∈ Z.

• All non-basic variables occurring in the row corresponding toxi, are assigned to their upperor lower bound:

∀xj ∈ N , aij 6= 0 ⇒ β(xj) = lj ∨ β(xj) = uj .

• All the numbersβ(xi), andβ(xj) for xj occurring in rowi are rationals (i.e., they are not ofthe formc + kδ with k 6= 0).

Let f0 = β(xi) − bβ(xi)c. By the first assumption,f0 is a positive rational number, so we have0 < f0 < 1. By the second assumption, free variables do not occur in rowi. We can also removethe fixed variables: letN ′ = N ∩ {xj | lj < uj}. Now, if j is the index of a non-basic variable ofN ′ then two cases are possible: eitherβ(xj) = li or β(xj) = uj . Let us define

J = {j ∈ I | xj ∈ N ′ ∧ β(xj) = li}K = {j ∈ I | xj ∈ N ′ ∧ β(xj) = ui}.

The row ofxi, that is, the equation

xi =∑

xj∈Naijxj (4.1)

is satisfied by anyx such thatAx = 0 and we havexi ∈ Z for any x that satisfiesS. For theassignmentβ, we also have

β(xi) =∑

xj∈Naijβ(xj). (4.2)

22

Subtracting (4.2) from (4.1) we obtain the following equation

xi − β(xi) =∑j∈J

aij(xj − lj)−∑j∈K

aij(uj − xj),

which can be rewritten as

xi − bβ(xi)c = f0 +∑j∈J

aij(xj − lj)−∑j∈K

aij(uj − xj) (4.3)

This equation holds for anyx that satisfiesS and, for any suchx we know thatxi − bβ(xi)c is aninteger and that the following inequalities are satisfied:

xj − lj ≥ 0 for all j ∈ Juj − xj ≥ 0 for all j ∈ K.

We now consider two cases:

• If∑

j∈J aij(xj − lj)−∑

j∈K aij(uj − xj) ≥ 0 then we must have

f0 +∑j∈J

aij(xj − lj)−∑j∈K

aij(uj − xj) ≥ 1 (4.4)

since the left-hand-side is an integer. Let us split the setsJ andK as follows:

J+ = {j ∈ J | aij ≥ 0}J− = {j ∈ J | aij < 0}K+ = {j ∈ K | aij ≥ 0}K− = {j ∈ K | aij < 0}.

Then inequality (4.4) implies∑j∈J+

aij(xj − lj)−∑

j∈K−aij(uj − xj) ≥ 1− f0,

or, equivalently, ∑j∈J+

aij1− f0

(xj − lj) +∑

j∈K−

−aij1− f0

(uj − xj) ≥ 1. (4.5)

• If∑

j∈J aij(xj − lj)−∑

j∈K aij(uj − xj) < 0, then we must have

f0 +∑j∈J

aij(xj − lj)−∑j∈K

aij(uj − xj) ≤ 0,

which implies

−∑

j∈J−aij(xj − lj) +

∑j∈K+

aij(uj − xj) ≥ f0,

or ∑j∈J−

−aijf0

(xj − lj) +∑

j∈K+

aijf0

(uj − xj) ≥ 1. (4.6)

23

Combining (4.5) and (4.6) we obtain the following inequality:∑j∈J+

aij1− f0

(xj − lj) +∑

j∈J−

−aijf0

(xj − lj) +

∑j∈K+

aijf0

(uj − xj) +∑

j∈K−

−aij1− f0

(uj − xj) ≥ 1. (4.7)

This is amixed-integer Gomory cut: this inequality is satisfied by anyx that satisfiesS, but it is notsatisfied by the assignmentβ.

4.2.2 A Stronger Gomory Cut

Inequality (4.7) was derived from the fact that

f0 +∑j∈J

aij(xj − lj)−∑j∈K

aij(uj − xj)

is an integer for anyx that satisfiesS. As long as we maintain this property, we can replace thecoefficientsaij with other rationalsa′ij and derive a different cut. In particular, ifxj is an integervariable then we know thatlj anduj are integers so we can replaceaij by anya′ij such that(a

′ij −

aij) ∈ Z. So we can further split the index setsJ andK by distinguishing between integer andnon-integer variables:

J0 = J ∩ IJ1 = J \ J0K0 = K ∩ IK1 = K \K0

Then we can replaceaij by ana′ij such that(a′ij − aij) ∈ Z for anyj ∈ J0 ∪ K0. This preserves

the essential property, namely the fact that

f0 +∑j∈J0

a′ij(xj − lj) +∑j∈J1

aij(xj − lj)−∑

j∈K0

a′ij(uj − xj)−∑

j∈K1

aij(uj − xj) (4.8)

is an integer. From this new term, we can derive a mixed integer cut as before.For j ∈ J0, the best choice fora′ij is the one that leads to the smallest coefficient of(xj − lj) in

the cut. Ifa′ij is positive, this coefficient isa′ij/(1−f0) otherwise it is−a′ij/f0. Letfi = aij−baijc

then a simple analysis shows that the best choice is given by

a′ij = fi = aij − baijc if fi ≤ 1− f0a′ij = fi − 1 = aij − daije if fi > 1− f0

For j ∈ K0 the besta′ij can be determined in a similar fashion and it is given by

a′ij = fi = aij − baijc if fi ≤ f0a′ij = fi − 1 = aij − daije if fi > f0

24

By choosing the coefficientsa′ij as above, we obtain the following inequality, which is thestrongest possible mixed-integer Gomory cut that can be obtained using the previous techniques:∑

j∈J+1

aij1− f0

(xj − lj) +∑

j∈J−1

−aijf0

(xj − lj) +

∑j∈K+1

aijf0

(uj − xj) +∑

j∈K−1

−aij1− f0

(uj − xj) +

∑j∈J0,fj≤1−f0

fj1− f0

(xj − lj) +∑

j∈J0,fj>1−f0

1− fjf0

(xj − lj) +

∑j∈K0,fj≤f0

fjf0

(uj − xj) +∑

j∈K0,fj>f0

1− fj1− f0

(uj − xj) ≥ 1.

25

Chapter 5

Experiments

Figures 5.1, 5.2, 5.3, 5.4, 5.5, 5.6 compares a prototype SMT solver that uses the previous algorithmswith other tools that participated in last year’s SMT competition. The comparison uses all the SMT-LIB benchmarks in the QFRDL (real difference logic), QFIDL (integer difference logic), QFLRA(linear real arithmetic), and QFLIA (linear integer arithmetic) divisions. The experiments wereconducted on identical PCs, all equipped with a 32bit Pentium 4 processor running at 3 GHz. Thetimeout was set to 1 hour and the memory usage was limited to 1 GB. With these timing and memoryconstraints, running all the benchmarks required approximately 60 CPU days.

Each point on the graphs represents a benchmark:+ denotes a difference logic problem and×denotes a problem outside the difference-logic fragment. The axes correspond to the CPU time takenby the new solver (y-axis) or the other solver (x-axis) on each benchmark. CPU times are measuredin seconds. Points below the diagonal are then SMT-LIB benchmarks where our new solver is faster.Points on the leftmost vertical edge are problems where a solver aborted, typically by running outof memory. The graphs comparing our new solver with Barcelogic and Simplics have fewer points,because Barcelogic supports only difference logic and Simplics does not support integer problems.

Table 5.1 summarizes the results. For each tool, it lists the number of instances solved andunsolved, and the total runtime. As can be seen, the new algorithm largely outperforms the othersolvers. It is even faster on problems in the difference logic fragment than tools that are specializedfor this fragment. The performance improvement is due to efficient backtracking and to the pres-implification enabled by our approach, efficient theory propagation based on bound refinement alsohas a big impact.

26

sat unsat failed time (secs)Ario 1.1 186 640 517 1218371BarcelogicTools 153 417 92 401842CVC Lite 117 454 772 1193747MathSAT 3.3.1 330 779 234 739533Yices 358 756 229 702129Simplics 240 351 110 476940New Solver 412 869 62 267198

Table 5.1: Experimental results: Summary

aborttimeout 1000

100

10

1

0.1

0.01 1000 100 10 1 0.1 0.01

ario-1.1

Figure 5.1: Ario 1.1 vs. New Solver

27

aborttimeout 1000

100

10

1

0.1

0.01 1000 100 10 1 0.1 0.01

bclt

Figure 5.2: BarcelogicTools vs. New Solver

aborttimeout 1000

100

10

1

0.1

0.01 1000 100 10 1 0.1 0.01

cvcl

Figure 5.3: CVC Lite 2.0 vs. New Solver

28

aborttimeout 1000

100

10

1

0.1

0.01 1000 100 10 1 0.1 0.01

mathsat-3.3.1

Figure 5.4: MathSAT 3.3.1 vs. New Solver

aborttimeout 1000

100

10

1

0.1

0.01 1000 100 10 1 0.1 0.01

simplics-smtcomp-05

Figure 5.5: Simplics vs. New Solver

29

aborttimeout 1000

100

10

1

0.1

0.01 1000 100 10 1 0.1 0.01

yices-smtcomp-05

Figure 5.6: Yices vs. New Solver

30

Chapter 6

Conclusion

We have presented a new Simplex-based solver designed for efficiently solving SMT problems in-volving linear arithmetic. The main features of the new approach include the possibility to presim-plify the input problem by eliminating variables, a reduction in the number of slack variables, andfast backtracking. A simple but useful form of theory propagation can also be implemented cheaply.Another result of the paper is a simple approach for solving strict inequalities that does not requiremodification of the basic Simplex algorithm. This approach is more generally applicable to otherforms of solvers, such as graph-based solvers for difference logic.

Experimental results show that the new Simplex-based solver outperforms the most competitivesolvers from SMT-COMP’05, including specialized solvers on difference logic problems.

Applications for the algorithm presented in this paper go beyond SMT. We are currently extend-ing the solver to support a form of weighted MAX-SMT, that is, the search for an assignment to anSMT problem that maximizes a linear objective function. This MAX-SMT solver will be integratedto SRI’s CALO system1, as part of a module that combines learning and deductive algorithms.

1http://caloproject.sri.com/

31

http://caloproject.sri.com/

Bibliography

[1] G.J. Badros, A. Borning, and P.J. Stuckey. The Cassowary linear arithmetic constraint solv-ing algorithm. ACM Transactions on Computer-Human Interaction (TOCHI), 8(4):267–306,December 2001.

[2] C. Barrett and S. Berezin. CVC Lite: A new implementation of the cooperating validitychecker. InInt. Conf. on Computer-Aided Verification (CAV), volume 3114 ofLNCS. Springer,2004.

[3] C. Barrett, L. de Moura, and A. Stump. Design and results of the 1st satisfiability modulotheories competition (SMT-COMP 2005). To appear in Journal of Automated Reasoning,2006.

[4] C. Barrett, D. Dill, and J. Levitt. Validity checking for combinations of theories with equality.In Int. Conference on Formal Methods in Computer-Aided Design (FMCAD), volume 1166 ofLNCS, pages 187–201, 1996.

[5] R. E. Bixby, M. Fenelon, Z.gu, E. Rothberg, and R. Wunderling. MIP: theory and practice –closing the gap. In M. J. D. Powell and S. Scholtes, editors,System Modelling and Optimiza-tion: Methods, Theory, and Applications. Kluwer, 2000.

[6] M. Bozzano, R. Bruttomesso, A. Cimatti, T. Junttila, P. van Rossum, S. Schulz, and R. Sebas-tiani. The MathSAT 3 system. InInt. Conference on Automated Deduction (CADE), volume3632 ofLNCS. Springer, 2005.

[7] V. Chvatal.Linear Programming. W. H. Freeman, 1983.

[8] G.B. Dantzig and B. Curtis. Fourier-Motzkin elimination and its dual.Journal of Combinato-rial Theory, pages 288–297, 1973.

[9] D. Detlefs, G. Nelson, and J. B. Saxe. Simplify: A theorem prover for program checking.Technical Report HPL-2003-148, HP Labs, 2003.

[10] J.-C. Filliâtre, S. Owre, H. Rueß, and N. Shankar. ICS: Integrated Canonization and Solving.In Proc. of CAV’01, volume 2102 ofLNCS, 2001.

[11] H. Ganzinger, G. Hagen, R. Nieuwenhuis, A. Oliveras, and C. Tinelli. DPLL(T): Fast decisionprocedures. In R. Alur and D. Peled, editors,Int. Conference on Computer Aided Verification(CAV’04), volume 3114 ofLNCS, pages 175–188. Springer, 2004.

32

[12] G.C. Necula. Compiling with proofs. Technical Report CMU-CS-98-154, School of ComputerScience, Carnegie Mellon University, 1998.

[13] G. Nemhauser and L. Wosley.Integer and Combinatorial Optimization. Wiley, 1999.

[14] R. Nieuwenhuis and A. Oliveras. DPLL(T) with exhaustive theory propagation and its appli-cation to difference logic. InInt. Conference on Computer Aided Verification (CAV’05), pages321–334. Springer, 2005.

[15] H. Rueß and N. Shankar. Solving linear arithmetic constraints. Technical Report SRI-CSL-04-01, SRI International, 2004.

[16] A. Schrijver.Theory of Linear and Integer Programming. Wiley, New York, 1986.

[17] H. M. Sheini and K. A. Sakallah. A scalable method for solving satisfiability of integer lineararithmetic logic. InSAT’05, volume 3569 ofLNCS, pages 241–256. Springer, 2005.

[18] A. Stump, C.W. Barrett, and D.L. Dill. CVC: A Cooperating Validity Checker. InInt. Confer-ence on Computer Aided Verification (CAV’02), volume 2404 ofLNCS. Springer, 2002.

[19] C. Wang, F. Ivancic, M. Ganai, and A. Gupta. Deciding separation logic formulae with SATand incremental negative cycle elimination. InLogic for Programming Artificial Intelligenceand Reasoning (LPAR), 2005.

33

IntroductionBackgroundSolvers for DPPL(T)Existing Simplex Solvers for DPLL(T)Performance

A Linear-Arithmetic Solver for DPLL(T)PreprocessingBasic SolverMain AlgorithmGenerating ExplanationsAssertion ProceduresBacktrackingTheory PropagationExample

Strict Inequalities

Integer and Mixed Integer ProblemsBranch and BoundGomory CutsDerivation of a Gomory CutA Stronger Gomory Cut

ExperimentsConclusion